smtp-poplock: Selective SMTP relaying based on POP authentication for qmail
|
drh.net |
David Harris, dharris@ |
Posted January 1, 1999.
April 30, 2002 -- latest version is 2.06.
Web page updated: August 12, 2005.
Abstract
This document describes package which works with qmail to only allow
clients who have logged into the POP server to relay mail through
SMTP. This does not require patching the POP or SMTP servers, but is
implemented by a few programs which cleanly interface into the
system, and can work with most any POP or IMAP server.
|
Solve your SPAM-relay problems NOW!
Professional smtp-poplock installation.
Spammers abusing your system? Need a fix NOW?
Don't want to mess with installation options? Have the expert
— the smtp-poplock author — install it on your system.
Information on smtp-poplock installation here.
|
~~
Available for consulting work
I am currently available for consulting work. For consulting,
I am happy to telecommute or come to your site for a period of time.
For more information about my skills and experience,
view my statement of consulting capabilities
or contact me for more information.
|
Back to davideous.com home.
1. Description
Smtp-poplock is a simple system to only allow hosts who have
authenticated via the POP3 or IMAP server to relay mail using qmail.
Smtp-poplock does not require patching the POP3/IMAP server or qmail. It
is based on two programs: First, a deamon which monitors POP3/IMAP logins
and maintains an authorized users database. Second, a wrapper for
qmail-smtp which sets the RELAYCLIENT environment variable based on the
authorized hosts database. Setting this environment variable per-request,
in tandem with the control/rcpthosts file, only allows authorized hosts
to relay mail.
Smtp-poplock was designed to monitor POP3/IMAP logins by monitoring the
syslog for log lines. (I first started with the RH Linux 5.1 server.)
Porting to work with other POP3/IMAP servers which note user
authentication in the syslog should be easy.
The qmail-pop3d system does not log user authentication to the syslog.
However, this package details a way to easily add this functionality in
without having to patch any source code.
-----
Reference: The qmail home page.
(Qmail is a mail transport agent like sendmail, just better.)
2. Distribution & Installation
Current version: 2.06, released April 30, 2002.
Here are the files:
smtp-poplock-2.06.tar.gz - compressed archive
smtp-poplock-2.06.tar.gz.asc - signature
smtp-poplock-2.06/ - browse the individual files
Just download and expand the archive in /usr/src
(it will create it's own directory inside of /usr/src )
and follow the installation directions in the README file.
NOTE: If you are not using the latest version, I strongly recommend that you upgrade.
2.5. Configuration for use with Daemontools
I have been too occupied with other projects to update the installation
instructions for daemontools, but this kind fellow has put some stuff
together:
From: Michael mike a t brenden d o t com
Sent: Wednesday, August 10, 2005 1:54 AM
To: dharris a t drh d o t net
Subject: thank you
hello from just outside washington dc,
thank you for your wonderful smtp-poplock.
i'm running 0.76 of djb's daemontools, and i adapted smtp-poplock to run.
attached is smtppl.tgz which contains basic instructions and the
filetree that should be placed under /etc/ and then linked to from under
/service, in order to have svcsan fork a supervise proc to sustain
readlog, per the directives in /etc/smtp-poplock/ dir
hope it helps someone.
thanks again!
michael / mike a t brenden d o t com
3. Announcement list
If you would like to be notified of new releases of smtp-poplock,
subscribe to the announcement list by sending an e-mail to:
- smtp-poplock-announce-subscribe@davideous.com
After you have confirmed your subscription request with the mailing list software,
the return address of the you sent e-mail will be added to the announcement list.
Later, to unsubscribe, send an e-mail to:
- smtp-poplock-announce-unsubscribe@davideous.com
If you would like to subscribe an e-mail address which is not your return
address, for example "john@host.domain", just add a hyphen and your
address (with '=' instead of '@') after the command word, creating:
- smtp-poplock-announce-subscribe-john=host.domain@davideous.com and:
- smtp-poplock-announce-unsubscribe-john=host.domain@davideous.com
This is a moderated list to which only I can post, so traffic should be very
minimal -- just occasional notes about new releases, not development traffic.
4. Technical details grabbed from README
4.1. Theory of operation
Whenever someone authenticates through POP3 a log message is sent to the
system logger (syslogd ) or a file by the POP3 deamon. There is a
background deamon process called "readlog " which is reading this log
information either through a named pipe written to by the system logger
or a "tail -f " process monitoring the log file directly. Whenever reads
a POP3/IMAP authentication from the named fifo, it records the accessing
IP address and the time in the database file /var/smtp-poplock/dbfile .
This database is continually maintained by readlog.
When anyone connects via SMTP the wrapper program "relaylock " is run
before qmail-smtpd . Relaylock compares the accessing IP address with the
database of allowed hosts maintained by readlog. If the connecting host
is allowed to relay, then the environment variable "RELAYCLIENT " is set
which is a flag to qmail-smtpd that this connection is allowed to relay
mail. After relaylock has checked with the database and possibly set
"RELAYCLIENT " it runs qmail-smtpd which carries on the smtp chat with
the accessing user.
For qmail-smtpd to require the "RELAYCLIENT " environment variable before
relaying mail, the file control/rcpthosts must exist and have the
domain/host names which this server will accept mail for. ( For more
information on the qmail-smtpd side of the mechanism see
qmail-docs.surfdirect.com.au/docs/qmail-antirelay.html
There is a utility program called "showallowed " will list the allowed
hosts from the /var/smtp-poplock/dbfile file.
If one is using a named pipe to pass POP authentication information to
readlog , then there is another little program which should be run in the
background as a safety measure. It is called "fifo-safety " and it
monitors the fifo to keep it from filling up if readlog fails for some
reason. You see, if readlog stops reading from the named pipe, the pipe
will fill up and block when syslogd writes. Which then blocks syslogd
and anything which tries to use it, including login(1) and tcpd(8) . This
is what's called a total system meltdown and it happened to me.
4.2. Working with other OS's and POP/IMAP servers
Smtp-poplock was first designed to work on Red Hat Linux with their
POP3/IMAP server (IMAP4 rev1/c-client by Mark Crispin), but has been and
can be easily made to work with other systems.
All source code is in Perl. This was for ease of programming and for
portability. (Long live the kingdom!)
The only real requirement is that the POP3/IMAP server log user
authentication to some place (file or syslog service) where the
readlog deamon can get at it.
The current matching code has some default parsers which will work
out-of-box for a number of servers and for the qmail-pop3d logging.
Minor perl regular expression knowledge may be required to modify the
regular expression matching code to detect your particular POP3/IMAP
server. This code is an anonymous subroutine in a configuration file.
See the INSTALL file for more details.
If you get this running on another system or run into any system
dependent quirks that other people should know, send me an e-mail at
dharris@drh.net, and I'll add it to the README or INSTALL file.
3.4. History
There is some history here:
v2.06 -- April 02, 2002
- Changed license to LGPL or Artistic. Added LICENSE file with
the license terms. Also added LGPL and Artistic files with
the actual licenses.
- Fix problem where netmask of /24 was interpreted as /255.0.0.0,
instead of the proper /255.255.255.0.
(This was left out of the CHANGELOG file by accident.)
- Added new parse_log_sub contributions.
- Removed checkfifo. We could not get accurate results from
reading the size of the fifo. This means that fifo-safety
is probably also useless, but I'm going to leave it because:
(a) I'm not sure how to fix it, and (b) perhaps it will be
handy to someone.
- Added warnings about the daemontools upgrade from version
0.53 to 0.60 that breaks my supervise scripts.
- Moved the changelog from the README file to a CHANGELOG file.
- Added TODO file.
v2.05 -- May 09, 2001
- Fixed problem in default log parsing regular expression.
- Added INSTALL.parse_log_sub file.
- Added documentation for subnets in smtp-poplock.static_allowed
file.
- Fixed checkfifo program to work correctly with the new kernels
that require that a fifo be opened for reading before it can
be opened for writing.
- Added check for blank TCPREMOTEIP environment variable in
relaylock and logpopauth-pre
- Added documentation recommending having tcp-env executed on
the chain before relaylock since some people have noted that
the TCPREMOTEIP appears not to be getting set
- Fixed bug where pidfile was not being written
- Added support for writing a pidfile for any programs readlog
is reading from, using the "program |" syntax of the perl
open command. Also added support for sending a TERM signal
to this process when readlog receives a TERM signal.
- If the dbfile is truncated to a zero length file, all
existing "sessions" are terminated from memory. Previously
readlog remembered the sessions and re-wrote them to the
dbfile.
- Readlog now uses the internal "rename" function instead of
doing using syslog to call the "mv" UNIX command.
- Specifying a custom $parse_log_sub now disables the default
pattern matching
- Changed the order of the catch-all log parsing regular
expressions in readlog to have the most generic parser match
second. Many people have asked for this change.
- Changed the catch-all log parsing regular expressions in
readlog to not match lines noting a login failure which are
in the form "date ipop3d[27692]: Login failure user=phap0019
host=master.debian.org [216.234.231.55]".
- Updated readlog-starter_nosupervise, readlog-starter_supervise
and smtpd-starter scripts.
- Added more descriptive note how to restart readlog after the
logfile is rotated when using a "tail -f" in INSTALL file.
- Added some more notes on running checkfifo in the INSALL file.
v2.04 -- September 06, 1999
- Fix for problem with logpopauth-* programs.
- Mention of
tcp-env in INSTALL document.
v2.03 -- August 03, 1999
- Fix for
fifo-safety .
- The lastest Linux kernels have a different behavior with
pipes, so I've created a new method for testing to see if
fifo-safety is working.
- Minor change in the "fall back" log line regular expression
in readlog.
-
Readlog now deletes its pid file when exiting because of
reading an EOF.
- Note in
INSTALL file about FreeBSD syslogd and general
cleanup of writing.
- Typo fix for
readlog-starter_supervise file.
v2.02 -- July 27, 1999
- The fix for the logpopauth-* problem in v2.0 never namde
it into the tar archive in v2.01... I feel so stupid.
v2.01 -- May 21, 1999
- Cleanup of the
INSTALL and README files. (Thanks to Steve
Valliere for doing this for me.)
- Versions of
logpopauth-* which actually work! (Version 2.0
had broken versions -- my bad.)
- Adding of description headers for
/sbin/chkconfig in the
various /etc/rc.d/init.d starter scripts.
- Version numbers are now two digits.
v2.0 -- May 19, 1999
- Complete rewrite of
README file, now much improved
- Now an
INSTALL file with detailed instructions and example
*-starter files to aid with installation
- Modified
readlog to write its pid out to /var/log/readlog.pid to
support running without supervise from the daemontools package.
- Added
showallowed command
- Added support for
qmail-pop3d with logpopauth-* commands
- Configuration moved from programs to
/etc/smtp-poplock.conf
- New feature:
/etc/smtp-poplock.static_allowed
- Made package install into directories conforming with filesystem
standards instead of just sitting in
/usr/src/smtp-poplock
-
Readlog now supports logging formats which include hostnames
instead of just ipaddrs.
- Changed programs which need to start up fast (
relaylock ,
logpopauth-* ) to use the open command instead of the IO::File
module.
v1.0 -- January 1, 1999
4.4 Thanks to
First of all Dan Bernstein for creating such a high quality, extensible
Mail Transport Agent.
Thanks to the following (in alphabetical order) for their help,
feedback, and patches:
- Adam <bezanson at mediaone.net>
- Aijaz A. Ansari <aijaz at fatiha dot com>
- Bryan T. Schmidt <bts at profitool dot com>
- Clemens Gutweiler <cg at webmaking dot ms>
- Derek C. <coffee at fatburrito dot com>
- Florian Dembeck <fd at mhw dot de>
- Mark Conway Wirt <mark at intrepid dot net>
- Michael Holzt <kju at fqdn dot org>
- Mike Schroll <logicx at logicx dot org>
- Nir Yeffet <nir at inbalsoft dot com>
- Peter Conrad <conrad at tivano dot de>
- Sebastiaan van Erk <sebster at sebster dot com>
- Steve Atkins <atkins at segsrv dot hlo dot dec dot com>
- Steve Valliere <svalli at e-visions dot com>
- Timothy Lorenc <lorenct at load dot com>
5. New log regex patterns
For dovecot:
$pat = '^(... .. ..:..:..) \S+ (?:pop3|imap)-login: Login: .+
\[(\d+\.\d+\.\d+\.\d+)\]';
$pat = '(?:pop3|imap)-login: (... .. ..:..:..) Info: Login: \S+
\[(\d+\.\d+\.\d+\.\d+)\]';
reported by mike a t brenden d o t com 8/10/2005
|